New Windows Vulnerability in Help System

wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."

Re:Does that matter if we don't have IE's exe file

[pe1chl]

IE's exe file is not very relevant, as it is only a loader for the DLLs that implement the actual functionality.

How else could it be so small?

To really get rid of IE you need to remove the DLL files that it uses, and you will break many other programs in the process. Because they all closely link to eachother.

Re:Privilege level

[pe1chl]

To install new software, users (except the totally clueless) log in as an administrative user, or even choose to run the setup program as an administrative user while being logged in as an unprivileged user.

Unfortunately, the default distribution of Windows is not setup this way, and is even discouraging it (especially in the Home version).

Afraid

[InternationalCow]

I don't know about the rest of you, but things like these are actually scaring me out of running Windows. Apart from my powerbooks (no problems there) I have one PC laptop on which I run WinXP and Linux and I like to use Windows for its ACPI support, but I'm now constantly afraid that some as yet undescribed security hole will allow someone to screw up my computer/home network. Brrrr. No Windows any longer, I'm sick and tired of being afraid when using my computer.

Re:MS

[MrNonchalant]

"By convincing a victim to view an HTML document such as a web page or HTML email message, an attacker could execute script in a different security domain than the one containing the attacker's document." So basically we're talking another e-mail attachment auto-execution exploit here. A whole new generation of viruses just got a way to spread minus a user's click. Thank goodness I use Mozilla mail.

Re:start the stopwatch...

[exmsfty]

Well, the interesting thing to me is I was a contract tester on the HTMLHELP team in 1999...and I filed a bug report for this very exploit. So by my stopwatch we are at 5 years and counting. FWIW, I used this exploit to nuke my boss's computer via the "Goodtimes" virus...yea, it was a hoax, but with this exploit I could run "rd /s/q \winnt" from the Preview Pane of Outlook :) If you care then write ShaneMc@microsoft.com and ask him why it wasn't fixed 5 years ago.

Mitigation?

[Henk Poley]

Are you sure?

Re:Privilege level

[Halfbaked Plan]

To extend your analogy to fit better, consider a world in which many doors, windows, cabinets, etc. are designed in such a way that it's impossible to install a key lock. Others are designed so that a keylock can be installed, but there's only one supply anywhere in the world for key blanks for that particular lock. So you can't lock certain places at all, because you only have one key, and there are five of you who need access to that cabinet or room.

ie rants

[bmac]

I use a "custom level" for my internet zone. I basically turn off *everything*. I don't need java, and "active scripting" should be re-worded to say "give web pages access to God-knows-what?".

Besides, I really despise the "AppletTransition Sensor" that ESPN and other sites use. Screw `em. Just give me the dang HTML and, please, IE, just render it for me. No code, no scripts, no popups, no crap.

Websites that require JavaScript piss me off. The stupid Washington Post can't even render a page without JavaScript. What a terd.

Now, if only I could get IE to stop displaying the "Your browser doesn't allow ActiveX controls" message that pops up on pages where the designer used some crap control. I've made ActiveX controls and I *know* they can do anything they want on my system. Arg.

And wtf is with "install desktop items"? This is a *web* *browser*, not the control panel, for crying out loud.

And, last but not least, when I disable all this crap and then hit apply, it gives me a confirm warning message, but when I (because I need to use JavaScript on some crappy page) restore the default "cheap-whore-mode" settings, it doesn't say a word! Nice emphasis, Microsoft.

Yeah, I know, use a different browser (or OS), but we all know Windows is *designed* to not interoperate well with those things, right? Sometimes, it wastes time to try to fight inertia.

Anyhow, my feeling is that the desktop situation on Linux and BSD won't be solved until X is ditched completely. Just give me the dang screen buffer(s) and some basic routines and I'll draw my own shtuff. X is a 25-year-old terd, designed for machines with, like, 4k of memory (warning: hyperbole). Just give me font, line, point, ellipse, bitblt and friggin window data structures -- straight to the video card. And access to the video card reg's would be nice too.

End of Rant, enjoy your day.

Peace & Blessings,
bmac

Mod Parent UP!

[Chordonblue]

Where's my friggin points when I need them?

Look, this is absolutely true. There is still plenty of software out there that breaks under W2K/WXP when not run as a local administrator.

And forget 'looser' environments. I run a network at a private school. Care to take a guess how much educational software cares about following the rules properly? Grrr!!!

Re:MS

[Anonymous Coward]

As if they needed another method.

try:
<img src=mailto:user@host?Subject=Something&Body=Fun>
on IE...

Re:Privilege level

[TheLink]

Login as your usual restricted user for your normal stuff (wordprocessing etc), e.g. joe

Right click on the IE/browser shortcut, select run as different user e.g. www_joe.

Then give www_joe permissions to joe's browser directories, or point the browser files to different folders in the registry/config files.

Of course this doesn't protect against shatter attacks etc.

So run IE in a VMware virtual machine and rollback after each session (copy out the data you want before that). VMware Workstation is now USD189 prev was USD299 or some high price.

Re:Use the RUNAS service

[plugger]

It doesn't always work though. If you are accessing files through a mapped network drive letter, a program run as administrator won't see the virtual drive.

It doesn't work as well as 'su -c xxx', I wish it did.

Re:Use the RUNAS service

[Xabraxas]

There are certain programs that will only run with super user privledges in linux that I use on a daily basis. For this I use sudo. I just have to add the executable name to my sudoers file and edit the entry in my menu to use sudo, but after that it's smooth sailing. I try to keep my sudoers file as minimal as possible to avoid any problems. For example, it would be easier sometimes to have my text editor in my sudoers file when I need to edit system-wide config files but that's giving way too much power away. I'll just suck it up instead and use su. The price of security can be difficulty but that's no reason to avoid it.

source code leak?

[qqqqarl]

does anyone know where this exploit originated?

is it, perchance, related to the recent windows source code leak?

K.

sims Re:Privilege level

[Anonymous Coward]

games require you have admin access to work, i.e. The Sims (god knows why)

That is for the copy protection to work properly.

God.

Re:Mod Parent UP!

[snkline]

Even the difference between NT4 and XP causes problems. When we were migrating from NT to XP at my old job we came across a problem with AutoCAD Architectural Desktop. The program ran, but certain program options didn't work properly (for adding things like light fixtures)

As I dug into what the problem was I was amazed at how poorly designed AutoCAD AD was! Everytime it runs it wants to write registry data into HKLM\Software\Autodesk\.... instead of HKCU\Software\Autodesk\.... where it belongs. Now I thought I could work around this problem, by simply giving users write permission on the Autocad tree. Nope, not only where they trying write to HKLM, but they were opening the Software key, and writing from there (Open Software for writing, write Autodesk\AutoCAD AD\example) But even though the data being written is below the software key, you still can't open the Software key explicitly for writing. ARGG! And of course this problem was with the upgrade that was bought specifically because it was an upgrade for Windows XP! Autodesk didn't even seem to care...

Re:ie rants

[bmac]

Yes, I'm as familiar with X as one can be after programming with it professionally on Sparcs back in the day (92'ish). How many volumes were in the Xlib reference set? Like 6, plus that God-aweful Motif stuff. Blech.

Yes, *every* window manager / windowing toolkit gives that functionality, but X's underlying layer is network-based, so getting the Display and Screen handles is a level of abstraction better done away with, IMO.

Peace & Blessings,
bmac

Re:Privilege level

[ymgve]

Games need Administrator privileges because the copy protection systems use driver tricks that are only available to administrators. Yet another reason why copy protection should be abolished.

Works for me and you

[Unknown Poltroon]

But try explaining that to my dad, who cant figure out what program hes sending e-mail from.

Re:start the stopwatch...

[value_added]

I'm not suprised. I'm reasonably familiar with the format as I've authored numerous CHM files and spent even more time re-compiling others (removing those HTMLHelp-specific features that MS and anyone following their lead insists on adding that I consider both nutty and inappropriate). IIRC, development stopped on v1.x a long time ago, and the much heralded new help system has some real problems of its own. A number of existing bugs for v1.x have been documented for some time, like those referred to here [helpware.net]. Others, well, for years no one at MS has shown any interest in fixing anything unless it involves an embarrassing exploit.

It's too bad, really. I'm not at all impressed with what little MS has done with the format (it still strikes me as afterthought), but compiled HTML can be a blessing. Anyone with tens of thousands of HTML docs on their drive (a handful of O'Reilly books?), can appreciate the simplicity of a single file.

That doesn't work.

[Ayanami Rei]

Explorer is already running (as your shell) and you can't convince it to restart itself as a different user. What you have to do is kill your existing explorer, (which kills everything including your desktop) then use the task manager to start it again using runas.

The new problem there is your WHOLE DESKTOP is now running as Administrator. Remember to kill it and restart it as yourself when you're done.

Re:Use the RUNAS service

[Repugnant_Shit]

But that isn't a solution, it's a workaround for shitty software! In Linux I don't have to su to run UT2004 or Half-Life.

Re:Windows has problems...

[HeelToe]

Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.

Take installation. Linux zealots are now saying "oh installing is so easy, just do apt-get install package or emerge package": Yes, because typing in "apt-get" or "emerge" makes so much more sense to new users than double-clicking an icon that says "setup".

I hate to break it to you, but anyone with the attitude you display is the problem, not a lack of user friendliness.

I have used linux since .95pre2 when it was bootstrap your own days. I've used 386bsd/FreeBSD from a similar point in time (since linux had no real networking layer at that point I switched permanently until the past 2 years where I'm again using both for different reasons).

I just did a fedora core 1 install. What a joke! Less questions, less knowledge required than a Windows install.

Even once you get it up and running it is smooth and easy to find what you want, vs. a standard kde install on another distro leaving you 40 choices for each type of functionality you'd like to use.

Here's the problem - any installation is somewhat of a barrier because most people do not install windows themselves - it comes on their computers. The steps being taken by Sun, Lindo(w)s, SuSe, Xandros, and others to get their distros defaulted on budget machines will get the familiarity and ease-of-use out there to the masses.


Linux zealots are far too forgiving when judging the difficultly of Linux configuration issues and far too harsh when judging the difficulty of Windows configuration issues. Example comments:

You're right. A friend is helping me bootstrap debian on a running machine I have nothing but net access to. Obviously a little tricky, but once you understand the basics, it's really reasonably easy. However, most Linux "power-users" would expect everyone to be able to do it.

Your examples with Quake show just why we need a common push for progress in this area, and the individual camps are making great strides, but there's needs to be a more unified effort to get better traction.

Re:In Linux-land...

[cmacb]

"Somewhere in Linux-land, a phone rings....

Hello? Oh, hi mom. Yeah, I can help you install a program on your computer. What do you want to install? Oh, cool. Have you downloaded it? Good job. OK, open up a terminal...."

Very funny, and very true.

I learned my lesson the hard way. I GAVE someone an older machine fully configured and ready to go with Debian installed. I did this after they constantly complained to me how their two Windows systems were messed up. I suggested that they use Linux to at least do their web browding and e-mail and save the Windows machines for whatever special applications (preferably non-networked) that they had.

Instead, they reformatted the machine and installed Windows on it, and gave it to someone else. Talk about gratitude. I don't think they even bothered to try it.

Needless to say I don't offer much sympathy for them new when they can't get their CD burner to work or they are getting new pop-ups, or they can't turn their machine off because they are afraid that it won't boot right again (a problem they have regularly). "So sorry" I say. I'm just a simple Linux user who doesn't understand that sophisticated Windows stuff.

My rule now is not to help anybody who does not really want to be helped. Give them the system ready to go. Tell then the root password and advise them to either leave it at that or change it and write it down, put it in their wallet if they have to. I'd also set up an alternate account that I can get into (with their permission) using SSH so that I can avoid the type of conversation in your example.

Of course if they were using Suse and the Yast installer they wouldn't have that problem. Or they could use Debian and Kpackage, Lindows and its equivalent, Mandrake and its equivalent. The Linux installers are getting better and better while the Windows stuff is either standing still or taking steps backwards to thwart exposures.

By and large the Aunt Tillies of this world don't install applications anyway. What they want is an Internet appliance, and Linux pretty much gives them that. I think the jury is still out on whether home users in the future will even need an e-mail client program. I already know many who don't know how to read their mail with anything but a web-based interface like Yahoo, and they've never even heard of newsgroups. If Google follows through on their 1-Gig Inbox concept who know, they might offer several Gigs of online hard-drive next. Given that, I'm not sure the average Internet user even needs a real hard drive in their machine. The true internet appliance may be just around the corner, rendering the OS wars moot.

Re:MS

[scrytch]

It starts up mail! I can't believe it, it starts up mail! What an insecure piece of shit, I can't believe it! On firefox, when I view it ... it starts up mail!

Oh wait, you wanted me to do it in IE? Oh yeah, that does it too.

Re:That doesn't work.

[afidel]

It doesn't, and is the number one real world reason why runas is all but worthless. If I could really login as a trusted user only when I need to then I would do it that way, but I can't get any real work done like that. If it was as easy to login as a second user as it is with XP's fast user switching then I think you would see a lot more admin's doing it. MS needs to fix fast user switching to work in domain mode for the next client OS if they really want to take a real world step towards better security.

Re:Privilege level

[damiam]

Works fine for me. The few programs I have that require Adminstrator access have their shortcuts setup to prompt for a password when they start. Simple.

Good for you. It doesn't work fine for a lot of other people. It would help if MS would implement some way to just let you type in a password without requiring two mouse clicks in the "Run as" dialog just to focus the password input box (which is grayed out by default).

Run as is usable for limited tasks, but I tried using WinXP as a non-administrator for a couple weeks and got so fed up with it that I just gave my account administrator privledges. Since I'm behind a firewall, don't run IIS, don't check mail on this machine, and don't use IE, I'm not too scared of viruses being able to delete (easily replaced) system files in addition to the personal documents that they could already mess with.

Uh, "Run As" *is* the "form of sudo".

In a very limited sense. Sudo can be set up to allow admin access to some programs by certain users without prompting for a password. Runas (at least in its GUI form) cannot.

Re:Mozilla not vulnerable

[AxelBoldt]

I wonder if people using this Mozilla plugin [mozdev.org] are vulnerable though.

Re:Windows has problemss...

[One Louder]

Interesting post, but what has difficulties in installing games on Linux got to do with the fact that Windows has a gaping security hole?

If Linux can't run a particular game out of the box, it doesn't hurt anyone. If Windows has a massive security hole, it costs businesses millions of dollars, clogs up the Internet with traffic, creates opportunities for spammers to make spam zombies, and exposes sensitive private data.

I just don't see how you can compare those two types of problems.

Very curious...

[kikta]

IE 6.0 and Firefox 0.8 do indeed open up a compose email window. Mozilla 1.6, OTOH, just sits there with a broken picture icon.

I'm not sure which is more interesting - that Firefox allows it such a boneheaded thing or that Firefox allows it when Mozilla does not. Aren't both using the same version of Gecko (I'm assuming that this is a function that Gecko would handle)?